Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Bar Mitzvah Attack' Plagues SSL/TLS Encryption

Posted by timothy on from the process-not-product dept.

ancientribe writes Once again, SSL/TLS encryption is getting dogged by outdated and weak options that make it less secure. This time, it's the weak keys in the older RC4 crypto algorithm, which can be abused such that an attacker can sniff credentials or other data in an SSL session, according to a researcher who revealed the hack today at Black Hat Asia in Singapore. A slice: Bar Mitzvah exploits the weak keys used by RC4 and allows an attacker to recover plain text from the encrypted information, potentially exposing account credentials, credit card data, or other sensitive information. And unlike previous SSL hacks, this one doesn't require an active man-in-the-middle session, just passive sniffing or eavesdropping on SSL/TLS-encrypted connections, [researcher Itsik] Mantin says. But MITM could be used as well, though, for hijacking a session, he says.

2 of 23 comments (clear)

  1. Re:Duh by Dragonslicer · · Score: 4, Interesting

    It's been well over a decade since the weaknesses of RC4 have been widely disseminated. No surprises here.

    The summary fails to mention (anyone surprised?) that this is where the name comes from. Apparently the flaws have been known for 13 years.

  2. Slashdot from 2013 calling :) by DougPaulson · · Score: 3, Interesting

    "Dan Bernstein presented a method for breaking TLS and SSL web encryption when it's combined with the popular stream cipher RC4 invented by Ron Rivest in 1987", Thursday March 14, 2013